CGRC Practice Test

Please enter your email:

1. Security and privacy assessments at the operations and maintenance phase of the life cycle ensures that security and privacy controls continue to be effective in the operational environment and can protect against constantly evolving threats.

True

False

Maybe

Not Sure

2. Information System registration is completed by:

The Information Security Architect who manages the Information System inventory and registry

The CISO, who maintains the registry

The Information System Owner, assisted by the Information System Security Officer

The CIO after reviewing and approving the system registration

3. Security Assessment are used to determine whether a security control demonstrates which of the following?

The Security Control Assessors cannot recommend an improvement in the security control

It exactly meets the security control assessment method

The control exhibits traceability to the security design.

The control was implemented correctly, operating as intended, and producing the desired outcome

4. Implementation detail addresses………………… (choose from the options below)

Where, how, why and how

Who, What, When and how

You, who, how and Solution

Why, when, whereabout, system owner

5. Security commensurate with the risk and the magnitude of harm resulting from loss, misuse, or unauthorized access to or modification of information is known as:

Impact

Minimum Security Requirement

Adequate Security

Risk

6. Nist SP 800-55 defines performance management criteria, which translate into key performance indicators (KPI) using what evaluation criteria?

Measures of compliance, measures of efficiency, and impact measures

Measures of effectiveness, measures of efficiency, and measures of compliance

Measures of effectiveness, measures of efficiency, and impact measures

Measures of compliance, measures of effectiveness, and impact measures.

7. The purpose of the Assess Step is to determine if the controls selected for implementation are……………, …………….., and ……………. with respect to meeting the security and privacy requirements for the system.

Durability and Scalability

Implemented correctly

Operating as intended

Producing the desired outcome

8. __________ is required for information system to transition into the Operation and Maintenance Phase of the SDLC Life Cycle.

System Development Lifecycle

ATO (Authorization to Operation)

Penetration Testing

Security Assessment

9. The minimum security control required for safeguarding an information technology system based on its defined impact levels for confidentiality, integrity and availability is known as:

Necessary Security

Sufficient Security

Baseline Security

Adequate Security

10. What System impact level is defined as “The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, assets, or individuals”?

Very High

Adequate

Low

Moderate

11. Organization prepare and manage risk at all levels (Organization, Mission/Business and Information System) of the organization hierarchy due to the following, except:

Risk Management is enterprise wide program

No organization level is immune to risk

Risk is present at all the three levels or tiers of the organization

Risk is only present at the information system level.

12. In RMF Step 4, what system Development life Cycle (SDLC) phase(s) is/are valid?

Development/Acquisition and Implementation

Implementation and Operation and Maintenance

Implementation

Development/Acquisition

13. Risk assessment is used to identify, estimate, and prioritize risk to organizational operations organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.

False

Not Sure

Somewhat

True

14. All of the followings are correct except:

Assessment Object is a set of determination statements that expresses the desired outcome for the assessment of a security control, privacy control, or control enhancement.

Penetration Testing is a test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals, and working under specific constraints, attempt to circumvent the security features of an information system

Security Assessment Plan is the objective for the security control assessment and a detailed road map of how to conduct such an assessment.

Quantitative Risk Assessment is use of a set of methods, principles, or rules for assessing risk based on numeric categories or level.

15. Who is responsible to ensure that the security controls are adequate to protect all agency system, and provide an annual FISMA report to OMB and Congress?

Chief Information Security Officer

Chief Information Officer

Head of Agency

Risk Executive

16. The two primary roles defined in the RMF Step 2 are:

Information system Owner (ISO) and Information Owner (IO)

Authorizing Official (AO) and Information system Owner (ISO)

Chief Information Officer (CIO) and Chief Information Security Officer (CISO)

Information system Owner (ISO) and Information System Security Officer (ISSO)

17. An Information Type is defined as:

Either a major application or general support system

The specific category of Information defined by an organization or a specific law

A business reference model (BRM)category

Those information types listed in FIPS 199

18. The primary references for RMF Step 6 are:

SP 800-37 and SP 800-53A

SP 800-39 and SP 800-53

SP 800-53A and SP 800-115

SP 800-37 and SP 800-39

19. According to NIST SP 800-37 Rev.II, the RMF incorporate privacy risks i.e Personal Identifiable Information (PII) and supply chain risk.

True

False

Compliance

Not Sure

20. Common control can be based on, and incorporated from which security control classes?

Management, Operational and Logical

Management, Operational and Technical

Administrative, Technical and Physical

Operational, Technical and Logical

21. NIST Cybersecurity Framework includes the following stages or steps:

Categorize, Build, Code, Testing, Deploy and Monitor

Identify, Protect, Detect, Respond and Recover

Select, Implement, Protect, Code, and Deploy

Monitor, Disaster, Forensic, Management and Assessment

22. The following are types of personally Identifiable Information (PII) – (choose all that apply)

Address

Mother’s Maiden Name

Name

Date and Place of Birth

Social Security Number

Phone number

23. __________________ could be weakness in the hardware, the software, the configuration, or even the users operating the system.

Assessment

Management

Compliance

Vulnerability

24. —————— are hardware, software, or firmware safeguards and countermeasures employed within an information system.

Vulnerability Management

Information System

Mechanisms

Security and Compliance

25. The purpose of the implementation step is to implement the controls in the security and privacy plan for the system and for the organization to document in a configuration , the specific details of the control implementation.

True

Compliance

Assessment

False

26. _____ is a formal document that provides an overview of the security requirement for the information system and describes the security controls in place or planned for meeting those requirements.

Contingency Planning (CP)

System of Record

Security Assurance Book (SAB)

System Security Plan (SSP)

27. According to the NIST SP 800-37 Rev. II, _________is the starting point and incorporated into RMF process to achieve a more effective, efficient, and cost-effective execution of risk management .processes

Implementation Phase

Categorize

Prepare Step

Monitoring Security Control

28. What is the function of RMF Task 6-6, and what primary roles exists?

Risk acceptance, accomplished bu AO and DR

Risk determination, accomplished by the AO and DR

Risk determination, and acceptance, accomplished by AO and DR

Risk determination and acceptance, accomplished by the AO

29. The following are major types of security control…

Mechanical, Obstructional, Technical

Technical, Operational, Management

Technical, Operate, Mechanical

Technological, Operability, Ministerial

30. Plan of action and milestone includes all of the following except:

Estimated funding to address the weakness

Responsible office or organization

Types of weakness

Milestone changes

Status

Schedule completion date

Enhancements

Source that identify the weakness

Key milestones with completion dates

31. The ———– establishes the scope of protection for an information system (i.e., defines what the organization wants to protect under its direct management or within the scope of its responsibilities).

Authorization Boundary

Risk Assessment

System Categorization

Penetration Testing

32. Vulnerabilities could result from…

Baseline Mis-configurations

Penetration Testing

Vulnerability Testing

Software Flaws

33. The following are assessment task that need to performed in sequential order (Task 1 through Task 5) Choose all that apply.

Assess the controls in accordance with the assessment procedure described in assessment plans.

Develop, review, and approve plans to assess implemented controls.

Select the appropriate assessor or assessment team for the type of control assessment to be conducted.

Conduct initial remediation actions on the controls and reassess remediated controls

Categorize system to determine the security objective using FIPS 199 and NIST 800-53.

Prepare the assessment reports documenting the findings and recommendations from the control assessments.

34. Risk management process comprises which four component?

Formulation, Assess, Respond, Monitor

Plan, Do, Check, Act

Frame, Assess, Respond, Monitor

Frame, Action, Respond, Manage

35. The components of an information system to be authorized for operation by an Authorizing Official(AO) is known as:

System Owner boundary

Authorization Boundary

Authorized Information System

Authorization system implementation

36. Continuous monitoring is best described as:

Security Control

Operational

A new security concept

A security process that requires common control implementation

37. Security controls can be designated as the following except:

Hybrid Controls

Common Control

Assurance Controls

System Specific Controls

38. The primary reference used to create a System Security Plan (SSP) is:

NIST SP 800-18

NIST SP 800-39

NIST SP 800-15

NIST SP 800-37

39. ————–detailed guidance and constraints regarding the execution of information security testing established before the start of a security test and gives the test team authority to conduct defined activities without the need for additional permission.

Assessment Appropriation

Assessment Authorization

Rules of Engagement

Permission Structure

40. Assessment objects identify the specific items being assessed and include specifications, mechanisms, activities, and individuals (AIMS).

True

False

POAM

Not Sure

41. ——- is the guide for Mapping Types of Information and Information Systems to Security Categories.

NIST SP 800-62

NIST SP 800-37

NIST SP 800-53

NIST SP 800-60

42. The potential impact is ___if the loss of confidentiality, integrity or availability could be expected to have serious or significant adverse effect on organization operation, organization assets or individuals, other organization and/or the Nation.

Moderate

Very High

High

Medium

43. The System Security Plan (SSP) should exist:

After the system boundary is established

Before the system can be registered

After the system is categorized

Before the system is categorized

44. The potential impact is _________________if the loss of confidentiality, integrity or availability could be expected to have limited adverse effect on organization operation, organization assets or individuals, other organization and/or the Nation.

High

Low

Moderate

Very High

45. ………….describe the specific measures planned to correct identified weaknesses or deficiencies in the security controls and to address know vulnerabilities in the information system.

POAM

Vulnerability

Management

Security

46. —————- are the security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.

Operational Controls

Privacy Controls

Management Controls

Technical Controls

47. The authorization to operate (ATO) is the official management decision to formally accept risk and authorized operation of an information system.

True

False

Not Sure

Most Likely

48. Risk assessment and risk determination include, in the proper order:

Threat, vulnerabilities,probability, and impact

Threat, probability, impact, and vulnerabilities

Probability, threat, vulnerabilities, and impact

Vulnerabilities, threat, probability, and impact

49. How often is a Security Assessment Report (SAR) updated and why?

Every three years to incorporate all updated charges and rename it.

Annually as determined by FISMA and OMB memorandum.

On an ongoing bases whenever changes are made and incrementally versioned

Annually as determined by the agency and incrementally versioned

50. ———and———-are responsible for security control assessment.

Information System Owner and Common Control Provider

Information System Owner and Authorizing Official

Information System Owner and Information owner

ISSO and CIO

51. …………….. is a document that identifies task that need to be accomplished and it describes resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for milestones.

Penetration Testing

Vulnerability Management

Security Assessment

POAM (Plan of Action and Milestone)

52. —————— is conducted throughout the System Development Life Cycle but more significantly at these phases: Development/Acquisition & Implementation Phases and Operations & Maintenance phase of the life cycle.

Operation Management

Vulnerability Scan

Penetration Testing

Security Assessment

53. The activities or tasks that must be carried out by various organization officials to appropriately select and tailor control baseline and document the selected controls in the systems security and privacy plan are the following except:

Control Allocation

Plan Review and Approval

Implementation

Documentation of Planned Control Implementation

Control Tailoring

Control Selection

Continuous Monitoring Strategy

54. System Development Life Cycle Stages includes the following:

Disposal

Development/Acquisition

Implementation

Intitiate

Operation/Maintenance

55. ———————— are document-based artifacts (e.g., policies, procedures, plans, system security and privacy requirements, functional specifications, architectural designs) associated with an information system.

Assessment

Specifications

Interview

Objective

56. What is the role of the Common Control Provider (CCP) in the RMF Step 2?

The organization defines the role for the common control provider, which is identified in the Information Security Program Plan, as shown as PM 1

None, because the common control system generally does not incorporate an information type

None, because the common controls are not defined before before RMF Step 3

Pimary, because the common control system includes an information type

57. At the ———————–, security assessments are conducted to ensure that important organizational information is purged from the information system prior to disposal.

Implementation Phase

End of System life cycle

Aquisition/Development Phase

Operation/Maintenance Phase

58. Any telecommunication or information system that is defined as a national security system that processes any information; the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency is said to be:

Mission Impact

Mission Critical

Management Impact

Critical Mission Impact

59. Which of these statements is incorrect?

Security Control cannot be a common control among disparate systems.

Common Control is inherited by multiple information systems or programs.

Hybrid Control is implemented for an information system in part as a common control and in part as s system specific control

System Specific Controls is implemented at the system level and its not inherited by any other information system.

60. Once a system is authorized to operate; who is ultimately responsible to ensure that the system continue to operate in accordance with the terms and condition?

Authorizing Official

Authorizing Official Designated Representative

Both the Information System Owner and the Authorizing official

Information System Owner

61. The two principal reference that are used to categorize Information Systems are:

NIST SP 800-60 and FIPS 199

FISMA and FIPS 200

NIST SP 800-62 and NIST SP 800-60

NIST SP 800-59 and FIPS 200

62. All of the following consideration or requirement is correct except:

For high-impact information systems, organizations must select at a minimum, security controls from the high baseline of security controls defined in NIST Special Publication 800-53

For low-impact information systems, organizations must select at a minimum, security controls from the low baseline of security controls defined in NIST Special Publication 800-53

For moderate-impact information systems, organizations must select at a minimum, security controls from the moderate baseline of security controls defined in NIST Special Publication 800-53

Determining the impact of loss on confidentiality, integrity and availability is never a consideration for the selection of security control baseline.

63. ___________ includes the people, processes, and information technologies (i.e., system elements) that are part of each system supporting the organization’s missions and business functions.

Authorization Boundary

Authorization Model

Authorization Association

Authorization to Operate (ATO)

64. As defined by NIST SP 800-53A, assessment cases for conducting security control assessment have which logical flow?

Assessment methods, which dictates assessment procedures, assessment objectives, and assessment objects

Assessment procedures, assessment objectives, assessment objects, which are evaluated using assessment methods.

Assessment objects dictate assessments methods, which then leverage assessment objectives or procedures.

Assessment Objective, assessment procedures, assessment objects, which are evaluated using assessment method

65. The organization’s overall strategy for communicating organization risk identified through continuous monitoring results would be contained in the:

Risk Management Strategy

Risk assessment policy and procedures

Continuous Monitoring Strategy

Information Security Program Plan

66. The three tasks for RMF Step 2 are:

Review the starting part, determine the information types, and categorize the information system

Determine the information types, determine the security objectives, and categorize the system.

Assign roles, create plan of action milestones (POA&M), and categorize the system

Security categorization, Information System Description, and Information System Registration

67. ————— are controls that are inheritable by one or more outside organization information systems or program:

Vulnerability Scan

Management Controls

Inherited security controls

Security Controls

68. The authorization to operate (ATO) is the official management decision to formally accept risk and authorized operation of an information system. Who is responsible to issue the ATO?

Information System Owner

Chief Information Security Officer

Authorizing Official Designated Representative

Authorizing Official

69. The following types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment is called:

Assessment Object

Assessment Method

Assessment Objectives

Assessment Mechanism

70. The types of authorization decision that can be rendered by authorizing official for an information system include the following except:

Denial of Authorization to Operate

Interim Authorization to Operate (IATO)

Authorization to Denied

Authorization to Operate

71. _______________ activities should also be applied throughout the information system development life-cycle.

Authorization to Operate

Compliance Management

Risk management

Vulnerability Management

72. The two pillars of continuous monitoring are:

Near real-time risk management and security control effectiveness.

Monitoring for change and security control effectiveness

Ongoing authorization and security control effectiveness

Ongoing authorization and near real-time risk management

73. A moderate common control system can be used to protect a high system if specific tailoring is applied, and the information system owner determines that tailoring achieves the minimum assurance requirement.

True

Somewhat

Not Sure

False

74. ……………describe the specific measures planned to correct identified weaknesses or deficiencies in the security controls and to address know vulnerabilities in the information system.

POAM

Management

Assessment

Vulnerability

75. Potential impact values for confidentiality, integrity, and availability are not the same for information type, as such the ___________ must be used to determine the overall impact level of the information system.

High Water Mark Concept

Security Assessment Model

Vulnerability Management Concept

Authorization to Operate (ATO)

76. The security control analysis results and recommended corrective actions are contained in:

Security Assessment Report and Plan of Action and Milestones

System Security Plan

Plan of Action and Milestones

Security assessment Report

77. Supply chain (Privacy) threat events may rang from insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware.

Somewhat

True

Not Sure

False

78. _____________can be defined as a weakness in an information system, system security procedure, internal control, or implementation that could be exploited or triggered by a threat source.

Vulnerability

Threat

Risk

Conditional Acceptance

79. ————-is considered type of security assessment.

Self assessment by information system owner and common control provider

Independent Assessment

Independent audit or inspection

All of the above

Independent verification and validation

80. Security categorization conducted in accordance with FIPS 199 provides for what degree of impact analysis using the high water mark concept?

Worse-case

Best-case

Predicated-case

Average-Case

81. Categorization of the Information and Information System is one of the most crucial step and if done incorrect and the system is not categorized appropriately, every proceeding step may suffer from the decisions made at the categorization step.

No (False)

Yes (True)

Somewhat

Not Sure

82. The security control tailoring process includes scoping consideration, compensating controls, organization-defined parameters, and……….

Identifying and designating common controls and supplementing baseline

Identifying and designing common controls and providing additional specification information for control implementation if needed.

Identifying and designating common controls, supplementing baselines, and providing additional specification information for control implementation if needed.

Supplementing baselines and providing additional specification information for control implementation if needed.

83. –—————– Indicates that the security control addresses the determination statement and the evidence collected indicates the assessment objective for the control has been met, producing a fully acceptable result.

Other Than Satisfied (O)

Operation

Compliance

Satisfied (S)

84. A risk assessment can be started when?

After the Information types and system have been categorized

After the system boundary has been established

After the RMF starting Point is accounted for

After the system has been registered.

85. The purpose of the ___________________ is to determine the adverse impact to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality, integrity, and availability of organizational systems.

Operation and Maintenance Step

Select Step

Categorize Step

Risk Management Step

86. A privacy impact assessment (PIA) is required when?

Only when the system will incorporate privacy information

Before a system enters the development phase of the SDLC, when privacy information will be incorporated

when the information system owner determines that it is required.

Later in the RMF Task 2.2

87. At what point is risk completely eliminated?

When compensating control is applied

When control enhancement is applied

Risk can never be eliminated. There will always be residual risk

When security control is applied

88. Assessment objects include specifications, mechanisms, activities and:

Policies

Individuals

Directives

Configurations

89. The potential impact is _______________if the loss of confidentiality, integrity or availability could be expected to have severe or catastrophic adverse effect on organization operation, organization assets or individuals, other organization and/or the Nation.

High

Moderate

Medium

Moderate-High

90. The Selection of Security Control is contingent on the —————— completed at the RMF Step 2.

Security Assessment

SDLC

Management Controls

Security Categorization

91. NIST SP 800-53 defines how many security control families without adding in the Privacy Control?

18 Control Families

16 Control Families

17 Control Families

2 2 Control Families

92. _____________ is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Information system

Information Assurance

Information Protection

Information Security

93. Security and Privacy Controls have the following structure except:

References section

Related controls section

Supplemental guidance section

Control enhancements section

Authorization section

Base control section

94. _____Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security

Adequate Security

Countermeasures

Safeguards

Protection

95. Who has primary responsibility to prepare the plan of action and milestones (POAMs) based on the findings and recommendations identifiedin the SAR?

Chief Information Security Officer

Common Control Provider

Risk Executive

Information System Security Officer

96. In cases where robust continuous monitoring has been implemented, the authorization decision document termination date may have the following value:

The termination date would be annual instead of three years

The date can be extended to five years but only when robust continuous monitoring is applied to the system

The termination date is no longer required to be annotated

Any date range, but must be within three years as required by FISMA

97. A repeatable and documented security assessment methodology is beneficial in that it can: (1) provide consistency and structure to security testing, which can minimize testing risks, (2) expedite the transition of new assessment staff, and:

Address resource constraints associated with security assessment

Provide a guarantee of security control effectiveness

Eliminate the need for periodic assessment testing

Improve the ability of security controls to demonstrate control effectiveness

98. Which attribute of a control implementation detail is incorrect?

Implementation detail – describes what solution is implemented or planned or compensated

Review Period – Describes how often the solution is reactivated or updated.

Control Requirement Satisfy By – Describes how a solution meets the requirements of the control

Control Enhancement Implementation Details – describes what solution is implemented, planned or compensated, to increase the the strength of a base control

99. Assessment findings identify that a security control resulted in a determination of satisfied or:

Remediated

Other than Satisfied

Unsatisfactory

Unacceptable

100. The stages of a System Development Life Cycle includes…

Implementation, Security, Vulnerability, Management, Processes, Constitutionality

Development/ Acquisition, Disposable, Implement, Initialization, Operational Control

Initiation, Development/Acquisition, Implementation, Operation/Maintenance, Disposal/Disposition

Maintenance, Management, Monetary, Security, Capability and Vulnerability

101. The policy and procedures for breach notification are mandated in which reference?

OMB Memorandum and the Security Control Catalog

Security Control Catalog and the Privacy Control Catalog

The Privacy Control Catalog and the Information Security Program Plan

Privacy Control Catalog and OMB Memorandum

102. The key RMF roles includes:

System Owner, Manager, Director, Customer Advocate, Control Assessor, Chief Security Officer, Security Architect.

Customer Service Representative, Manager, System Administrator, Security Engineer, HR Director, Communication Director, Director of Finance

Accountant, CRM, Vulnerability Manager, Security Assessor, President, Managing Director

Authorizing Official, Information System Owner, Information System Security Officer, Common Control Provider, Information Owner/Steward, Security Control Assessor, Chief Information Officer, Risk Executive, Authorizing Official Designated Representative

103. Beyond NIST SP 800-37, the primary references used for RMF Step 5 (Assessment) are:

NIST SP 800-39 and NIST SP 800-53

NIST SP 800-53 and NIST SP 800-37

NIST SP 800-53A and NIST SP 800-115

NIST SP 800-47 and NIST SP 800-53A

104. Before an AO issues a rescission letter, which two NIST roles should the AO consult with?

CIO and RE

CISO and RE

CIO and CISO

CISO and ISO

105. All the following are correct except:

Balancing security and privacy considerations with mission and business needs is vital to achieving an acceptable risk-based authorization decision.

The system owner or common control provider is responsible for the development, compilation, and submission of the authorization package.

The authorizing official Designated Representative is explicitly responsibility for the acceptance of risk and cannot be delegated to other officials in an organization.

The authorization package provides a record of the results of the control assessments and provides the authorizing official with the information needed to make a risk-based decision on whether to authorize the operation of a system.

106. The three types of authorization approaches include:

Single, Multiple, Joint

Single, Multiple, Leveraged

Single, Joint, Leveraged

Internal, External, Cloud

107. The terms and conditions for the common control authorization provide a description of any specific limitations or restrictions placed on the operation of the system or the controls that must be followed by the system owner or common control provider.

False

True

Most Likely

Not Sure

108. Which of the following is incorrect regarding the implementation tasks, activity or process?

The implementation phase marks the the progress in the RMF process after the system has been categorized and the security control baseline has been selected based on the system category.

Business Impact Analysis is the process of controlling modification to hardware, firmware, software and documentation to protect the information system against improper modification prior to , during or after system implementation.

Business Continuity Plan provides procedures for sustaining an organization processes during and after a disruption.

Patch Management is the systemic notification, identification, deployment, installation and verification of operating system and application software code revision. These revision are also called patches, hot fixes and service packs .

109. ______________ is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability (exploit a weakness or vulnerability to obtain, damage or destroy an asset).

Vulnerability

Threat

Contingency

Probability

110. What are the core security objective or the tenet of information security?

Vulnerability, Pentest, Accounting

Confidentiality, Integrity, Availability

Accounting, Assessment, Authentication

Condition, Introduction, Annuity

111. _____________ is a safeguard, countermeasure, designed or built or imbedded into the system to minimize security risk.

Security Assurance

Security Control

Protection Activity

Pentest

112. Risk Management Framework include these many phases or stages…

Planning, Organizing, Implement, Vulnerability, Assess, Produce

Configuration, Coding, Monitoring, Testing, Deploment

Select, Control, Managed, Assess, Authorize, Monitor

Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor

113.

Authorization package includes an executive summary and _______, _______, and __________.

Business Impact Analysis (BIA)

POAM (Plan of Action Milestone)

System Security Plan (SSP)

Security Assessment Report (SAR)

114. Conditions that may warrant a formal re-authorization includes (Choose all that apply)

New or upgraded components

Change of the Authorizing Official

Authorization period has expired (3 years maximum)

Modification or configuration changes

Modifications of Security Control

Multitasking

115. ——————– are actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards

Acquisition/Development

Management

Countermeasures

System Development Life Cycle (SDLC)

116. The possibility or likelihood of a threat exploiting a vulnerability resulting in a loss, damage or destruction of an asset is called…..

Assessment

Risk

Penetration Testing

Compromise

117. ———————- is define as the security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).

Management Control

Operational control

Technical Control

Privacy Control

118. You have just completed a System Impact Analysis. What are the next RMF Task and applicable System Development Life Cycle (SDLC) phase?

Task 6 -2 and the implementation Phase

Task 6-1 and the Operation and Maintenance Phase

Task 6-1 and the implementation phase

Task 6-2 and the Operation and Maintenance Phase

119. RMF 6-7 is associated with what System Development Life Cycle (SDLC) phase?

System Shutdown

Operation and Maintenance

Removal

Disposal

120. _____ is a requirement levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure

Security Requirement

Assurance

Adequate Security

Countermeasure

121. The generalized format for expressing the security category, or SC, of an information type is:

SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}

SC information type = {(confidentiality, Remediated), (integrity, Fix), (availability, impact)}

SC information type = {(confidentiality, Managed), (integrity, impact), (availability, impact)}

SC information type = {(confidentiality, Moderate), (integrity, Moderate), (availability, Moderate)}

122. To assign the system categorization, NIST SP 800-60 has four steps. What are they?

Review, select, coordinate and register

Determine, review, select and categorize

Select, review, assign and categorize

Identify, select , review and assign

123. For partial assessments, information system owner and common control providers collaborate with organizational officials that have an interest in the assessment. The selection of security control depends on the continuous monitoring strategy established by the information System owner or common control provider to ensure that (1) items on the plan of action and milestones (POAM) receive adequate oversight; (2) controls with greater volatility or importance to the organization are assessed more frequently, and:

The Risk Executive remains informed about those security controls that are still deemed to be effective

Control implementation that have changed since the last assessment are re-evaluated.

Most of the controls are assessed during the authorization period established by federal legislation, policies, direction, standards, and guideline.

Control That have changed since the last assessment and are not assessed during the current assessment are properly documented for the Authorizing Officials.

124. All of the following are correct except:

Low-impact system is an information system in which all three of the security objectives are low.

High-impact system is an information system in which at least one security objective is high.

Moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate.

Medium-impact system is an information system in which all three of the security objectives are low or medium high.

125. Security control effectiveness is determine based on an evaluation of:

demonstration that the control was implemented correctly, operating as intended and producing the desired outcomes.

Management, Operational and Technical controls

Management, Operational and Logical controls

126. What are the NIST Special publications guide for the Selection of Security Controls?

NIST SP 800-18 and FIPS 199

NIST SP 800-60 and FIPS 200

NIST SP 800-47 and FIPS 199

NIST SP 800-53 and FIPS 200

127. Assessment methods define the nature of the assessor actions and include the examine methods, the interview method, and the:

Governance method

Box method

Test Method

Assess method

128. Along with the information System Owner, Common Control Provider, and Authorizing Official, the other primary role that occurs in RMF 6 – Monitor is:

Security Control Assessor

Senior Information Security Officer

Chief Information Officer

Information System Security Officer

129. The objective of conducting security assessment early in the life cycle is to ————— and the security controls to ensure that the system design, and testing validate the implementation of those controls.

Ensure compliance

Perform Vulnerability Scanning

Develop POAM

Identify security and privacy related deficiencies/vulnerabilities/weaknesses

130. Risk Assessment process includes: (Choose all that apply)

Threat

Impact Analysis

Likelihood Determination

Control Recommendation

Control Analysis

Documentation

Vulnerability

Risk Determination

131. ____________ is any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.

Selection

Management

Information

Comunication

132. Which of the RMF role has the statutory authority to assume the responsibility for accepting organization risk and also can authorize system to operate (ATO)?

System Owner (SO)

Authorizing Official (AO)

Chief Information Officer (CIO)

Authorizing Official Designated Officer

133. In RMF Step 6-4, the focus is on which document(s)?

System Security Plan

Security Assessment Report

Plan of Action and Milestones

System Security Plan, Security Assessment Report, and Plan of Action and Milestones

134. A well-designed and well-managed continuous monitoring program can effectively transform which area?

Risk determination processes

Security control selection

System log collection

Dynamic security control assessments

135. ………………. is safeguard or countermeasure for an information system that is primarily implemented and executed by the information system through mechanisms contained in the hardware, software, and firmware components of the system.

Security Assessment

Security Controls

Security Plan

Security and Compliance model

136. Establishing an appropriate security category for an information type simply requires determining the potential impact for each security objective associated with the particular information type.

True

False

Independently

Not Sure

137. FIPS 199 is all of the following except:

Defines the security categories, security objectives, and level of impact to which SP 800-60 maps information types.

Standards for Security Categorization of Federal Information and Information Systems

Guide for Mapping Types of Information and Information Systems to Security Categories

Establishes security categories based on the magnitude of harm expected to result from compromises

138. ____________ is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability.

Confidentiality

Information Security

Authentication

Information System

139. ______________ is the process of determining the security category for information or an information system.

Security Categorization

Security Classification

Security Assessment

Security Authorization

140. According to the NIST SP 800-37 revision II, Risk Management Framework has 7 distinct phases or stages. What is the proper order of progression through the cyclical process?

Prepare for Risk Management

Implement Security Controls

Assess Security Controls

Categorize Information System

Development/Acquisition

Authorize Information System

Monitor Security Controls

CGRC Practice Test

VobaLink Inc

Contact

Our Location